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Abstract. We formulate the classical decoding algorithm of alternant codes 
afresh based on interpolation as in Sudan's list decoding of Reed-Solomon 
codes, and thus get rid of the key equation and the linear recurring sequences 
in the theory. The result is a streamlined exposition of the decoding algorithm 
using a bit of the theory of Grobner bases of modules. 



1. Introduction 

The family of alternant codes embraces BCH codes and Reed-Solomon codes, 
which are important in the practice of error control coding. The popular decoding 
algorithm of BCH codes using the Berlekamp-Massey algorithm or the Euclidean 
algorithm in fact decodes any alternant code for errors of weight half of the code's 
designed distance. The decoding algorithm is formulated around the so-called key 
equation, and the Berlekamp-Massey algorithm itself is explained by the theory of 
linear recurring sequences. See any texts on coding theory [H [Jj [9] . 

Reed-Solomon codes are the simplest example of algebraic geometry codes — 
codes on the affine line, and generalized Reed-Solomon codes are a slight variation 
of Reed-Solomon codes. As alternant codes are defined as subfield subcodes of 
generalized Reed-Solomon codes, they inherit certain geometric structures from 
Reed-Solomon codes. From this point of view, the origin of the key equation and 
the linear recurring sequences in the theory of the decoding algorithm of alternant 
codes is somewhat mysterious. 

Recently, in [BJ, it was shown that the decoding algorithm of Reed-Solomon 
codes using the Berlekamp-Massey algorithm can be understood as a special case 
of Sudan's list decoding of Reed-Solomon codes [TQl EJ- This result hints that 
we may formulate the classical decoding algorithm of alternant codes in terms of 
interpolation and division as in list decoding. The aim of this paper is to make this 
idea explicit. 

Fitzpatrick [3] was the first to show that the theory of linear recurring sequences 
can be removed in formulating the decoding algorithm of alternant codes, using 
Grobner bases of modules instead. Going one step further from his work, we will 
replace the key equation with an interpolation, which fits better with the geometric 
viewpoint on alternant codes. 

In Section 2, we review the definitions of alternant codes and related codes. 
See [9] for more detailed treatment of alternant codes. In Section 3, we observe 
that decoding of alternant codes essentially reduces to that of Reed-Solomon codes, 
and present a decoding algorithm using the theory of Grobner bases of modules. 
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In fact we use very little of the Grobner bases theory, and recommend [2] for an 
introduction to the subject. In Section 4, the case of BCH codes is briefly treated. 

2. Alternant codes 

Alternant codes are defined as subfield subcodes of generalized Reed-Solomon 
codes. So we let F C E be an extension of finite fields, and first define generalized 
Reed-Solomon codes over E. 

Let n be a positive integer, and E[x] n = {/ G E[x] | deg(/) < n}. We fix 
a set a — {a\, a.%, . . . , a n } of n distinct points of E. For a, the evaluation map 
cv : E[x] n — > E n is defined by 

f^(f(a 1 )J(a 2 ),...,f(a n )). 

Clearly ev is an isomorphism of vector spaces over E. The inverse map ev -1 is 
given by Lagrange interpolation as follows. Define 

n 

hi = (x - a j), and hi = hi(ai)~ 1 hi 

such that hi(otj) = 1 if j = i, and otherwise. So {hi, h%, . . . , h n } forms a basis of 
E[x] n . For any vector v = (vi, V2, ■ ■ ■ , v n ) € E™, we define 

n 

h v = ev _1 (u) = ^2 v ih% € E[x] n . 

i=l 

For an integer 1 < k < n, the Reed-Solomon code RS(a, k) is defined as 

RS(a, k) = {ev(/) | degf(x) < k,f(x) G E[x}}. 

It is well known that RS(a, k) is an [n, k, n — k + 1] linear code over E. For a 
set u — U2, ■ ■ ■ ,u n } of nonzero elements in E, the distortion map t u on E" is 
defined by 

(vi,v 2 , ...,v n )t-> (u 1 vi,u 2 v 2 , . . .,U n v n ). 

Obviously t u is a linear automorphism on E™ preserving Hamming weights. Later 
we will use the notation v' = t^ 1 (v) for v G E". Now the generalized Reed-Solomon 
code GRS(a, u, k) is defined to be 

GRS(a,u,k) = T u (RS(a,k)) = {r„oev(/) | deg/(a;) < k, f(x) G E[x]}. 

As an isomorphic image of RS(a, k) by t u , the generalized Reed-Solomon code 
GRS(a, u, k) is an [n, k, n — k + 1] linear code over E. Note that the set of codewords 
{t u o ev(x a ) | < a < k — 1} forms a basis of GRS(a, u, k). The matrix whose rows 
are these k codewords is called the canonical generator matrix of GRS(a, u, k). The 
family of generalized Reed-Solomon codes contains their own duals. 

Proposition 1. The dual ofGRS(a,u,k) is GRS(a, v, n — k), where v — {v^ with 
— Uihi(ai) for 1 < i < n. 

Proof. Let < a < k — 1 and < b < n — k — 1. As ev is an isomorphism, 

n 

x a+b = ev-^K^, a a 2 +b , <+ b )) = <*? + "hi- 

i=l 
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Comparing the coefficients of x n 1 on both sides, we see 



n 



= J2 Hai)- 1 ^^ = t u o ev(x a ) • t v o ev(x h ), 



where the dot denotes the inner product on E™. This completes the proof. 



□ 



Finally the alternant code Cw(a, u, k) is defined by 

C F (a,u,fc) = GRS(a,u,fc) nF" = T„(RS(a, k)) n F™. 



So Cf(«, u, k) is a linear code over F of length n and dimension < k, since a basis of 
C]F(a, it, A;) over F is linearly independent also over E. Clearly its minimum distance 
is at least n — k + 1, which is called the designed distance of the alternant code 
Cp(a, u, k). 



It is obvious that a decoding algorithm of GRS(a,u, k) correcting errors up to 
half of its minimum distance is immediately a decoding algorithm of Cp(a, u, k) 
correcting errors up to half of its designed distance. In turn, a decoding algorithm 
of GRS(a,u, k) will be obtained by a slight modification of a decoding algorithm 
of RS(a, k). Below we present a decoding algorithm of GRS(a, u, k), and hence of 
Cf(o;, u, k), correcting up to [(n — k)/2\ errors. 

Let c denote a codeword of Cw(a,u,k) sent through a noisy channel. Suppose 
that r = c + e is the received vector with error vector e. Let t = wt(e). We assume 
2t < n — k + 1 so that c is the unique codeword that lies in the Hamming sphere of 
radius [(n — k)/2\ centered at r. Let E[x,y]i = {/ e E[x, y] | y-deg(f) < 1}. Note 
that E[x, y]i is a free module of rank 2 over E[x]. We consider 



It is clear that M is an E[x]-submodule of E[x, y]\. 

We review the necessary theory of Grobner bases of submodules of E[x, y]\. Note 
that x l yi with i > and j = or 1 arc all the monomials of E[x,y]i. Given a 
parameter s, we define the monomial order > s as follows. The weights of the 
variables x and y are set to be 1 and s, respectively, so that the s- weighted degree 
of the monomial x l y^ is i + js. Monomials are ordered by their weighted degree and 
if tied, the monomial with y factor dominates the other. The minimal element of 
a submodule S of E[x, y\\ with respect to > s is the element of S with the smallest 
leading term, determined up to a constant. The following is trivial by Buchberger's 
S"-pair criterion. 

Proposition 2. /2} is a basis of a submodule S o/E[x, y]\ with y-deg(/i) = 

and y-deg(/2) = 1, then {/i,/2} is a Grobner basis of S . 

For the received vector r, define 



3. Decoding algorithm 



M = {/ e E[x, y]i | /(tti.urVj) - for 1 < i < n}. 



n 



n 




Clearly y — h r > ,77 G M. In fact, 



Proposition 3. {r],y — h r >} is a module basis of M . 
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Proof. Let ay + b E M with a, b S E[x]. Note that ay + b — a(y — h r ) = b + ah r E 
A'/ n E[x]. Therefore 6 + a/i r vanishes on a, for 1 < i < n, and we can write 
b + ah r = en for some c E E[x]. Thus ay + b = a(y — h r ) + en. □ 

Let f e = Y\ ei -£ (x — ati). Suppose c = t u o ev(h c >) with deg(/i c /) < fc. Observe 
that / e (y — h c i) is in M. Moreover, 

Proposition 4. / e (j/ — h c >) is the minimal element of M with respect to >k-i- 

Proof. Assume f e (y — h c >) is not minimal in M. Then for some a, b E E[x] not both 
zero, 

lt(./e(y - h C ')) >k-i \t(a(y - h r >) + brf). 
Note that the (k — l)-weighted degree of f e (y — h c >) is t + k — 1, and thus either 

t + k — 1 > deg(a) + k — 1 > dcg(— a/i r / + 677) 

or 

t + k — 1 > dcg(— a/v + bn) > deg(a) + k — 1. 
In either case, it follows that 

i > deg(a), t + — 1 > dcg(— ah e > + brf) 

since /i r / = /i c / + h e i and fc — 1 > deg(/i c /). We see that a is nonzero by the second 
inequality. If ah e > = bn, then a(ai) — whenever a ^ so that deg(o) > t, 
contradicting the first inequality Hence — ah e i + bn is a nonzero polynomial in x. 
Note that it has at least n — t zeros. Therefore 

t + k — 1 > dcg(— ah e > + bn) >n — t. 

This contradicts our assumption that 2t < n — k + 1. □ 

Observe that the minimal element f e (y — h c >) of M with respect to >k-i should 
appear as an element of the Grobner basis of M with respect to >k-i- Therefore 
once the Grobner basis is at hand, the sent codeword c can be retrieved by comput- 
ing t u o ev(h c '). Below we describe an algorithm converting the basis {n,y — h r >} 
to a Grobner basis of the module M with respect to >k-i- 

Suppose that A, B,C,D E E[x] such that 

{Ay + B,Cy + D} 

is a basis of M. Assume that deg(i3) + deg(C) > deg(^4) + deg(D) and that 
deg(A) + k - 1< deg(B), that is, y-Aeg{\t(Ay + B)) = 0. 

If dcg(C) + fc-l > deg(D), that is, y-deg(\t(Cy+D)) = 1, then {Ay+B, Cy+D} 
is a Grobner basis of M. Suppose that deg(C) + k — 1 < dcg(D), and let d = 
deg(.D) — deg(B) and c = \c(D) lc(B)" 1 . We now consider the following two cases. 

Case: dcg(D) > dcg(_B). In this case, 

{Ay + B,(C- cx d A)y + (D - cx d B)} 

is clearly a basis of M. Moreover 

(i) deg(B) + deg(C - cx d A) > deg{A) + dcg(L> - cx d B), 

(ii) deg(L> - cx d B) - dcg(C - cx d A) < dcg(D) - dcg(C*). 
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Proof. Note that by our assumption, 

deg{x d A) = deg{D) - deg(B) + deg(A) < deg(C), 
and that c, d were chosen such that 

deg(L> - cx d B) < deg(.D). 
We can easily check the assertions from these facts. □ 
Case: deg(D) < deg(S). In this case, 

{Cy + D, (x- d C - cA)y + ( X - d D - cB)} 
is a basis of M. Moreover 

(iii) deg(£>) + deg(a;- d C - cA) > deg(C) + deg( x - d D - cB), 

(iv) deg{x~ d D - cB) - deg(ar d C - cA) < deg(D) - deg(C). 

Proof. The assertions follow similarly from the facts that 

deg{x- d C) = deg(B) - deg(L») + deg(C) > deg(A), 
and that dcg( X - d D - cB) < dcg(B). □ 

By (i) and (iii), we see that the above procedure can be iterated with the new 
basis given above in two cases, until deg(C) + k — 1 > deg(D). The last condition 
eventually holds because (ii) and (iv) imply that the gap between the (k — 1)- 
weighted degrees of Cy and D diminishes in each iteration. Hence wc proved the 
following algorithm. 

Decoding Algorithm D. Given the received vector r = (n, f2, . . . , r n ), this 
algorithm finds the sent codeword c if there are at most \n — k\ errors in r. The 
polynomials r\ — II^i^ — a j) an d U T hi for 1 < i < n are precomputed. 

Dl. Compute — h r t = — J^iLi r i u ^ l hi. 
D2. Set 

A^O, B^t), Ct-l, D< hr>. 

D3. If deg(C) + k - 1 > deg(£>), then go to step D6. 
D4. Set d <- deg(D) - deg(B) and c <- lc(D) lc(B)- 1 . 
D5. If d > 0, then set 

C <- C - cx d A, D <- D - cx d B. 

If d < 0, then set, storing A and B in temporary variables, 

A <- C, B <- D, C <- i^^C - cA, D < — - aB. 

Go back to step D3. 
D6. Output t u o ev(—D/C) and the algorithm terminates. 

Alternatively we may use the Euclidean algorithm when we compute the new 
basis in the iteration steps, and obtain the algorithm below. We omit its proof, 
which can be found in [5] . 

Euclidean Decoding Algorithm E. This algorithm performs the same task as 
Algorithm D, but depends on the Euclidean algorithm. 

El. Compute —h r > = — ^2^ =1 TiU^ l hi. 

E2. Set 

A^O, B^rj, C<-1, D< hr>. 
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E3. If deg(C) + k - 1 > deg(D), then go to step E6. 

E4. Compute Q and R such that B = QD + R, deg(R) < deg(D) by the 

Euclidean algorithm. 
E5. Set, storing A in a temporary variable 

A <- C, B <— D, C <- A - QC, L> <- i?. 

Go back to step E3. 
E6. Output r M oev(— D/C) and the algorithm terminates. 



4. BCH CODES 



Let /3 be a primitive nth root of unity, which lies in an extension field E of F. 
For b E Z and 1 < S < n, the BCH code BCH(n, 5, b) is defined by 

BCH(n, 5, b) = {f(x) E F[x]„ | f{&) = for b < i < b + 6 - 1}, 

where we identify f(x) = ci + C2% + ■ ■ ■ + CnX™" 1 with (ci, c%, . . . , c n ) E F™. Note 



that by definition, (ci,C2, 



^(b+i) 



/3 2b 



E F™ is a codeword of BCH(n, 5, 6) if and only if 

p(n-l)b 



I p(b+5-2) ^2(6+5-2) 



/ g(n-l)(fc+«5-2) 





Cl 




C2 







= 0. 



Observe that the matrix shown above is identical with the canonical generator 
matrix of GRS(a, u, S — 1) over E with 



a 



{l,/3,/3 2 



This means that BCH(n, 5, b) can be viewed as the subfield subcode over F of the 
dual code of GRS(a, u, 8 — 1) over E. By Proposition [TJ we see that 

BCH(n, 5, b) = GRS(a, v, n - 5 + 1) n F™ 

where v = {nT 1 | o < i < n— 1}. Therefore this BCH code is an alternant 

code with designed distance 5, which is also called the designed distance of the BCH 
code. As BCH codes are alternant codes, the decoding algorithm in the preceding 
section works for BCH codes. 



5. Conclusion 

As noted in the Introduction, the decoding algorithm in Section 3 is equiva- 
lent to the Berlekamp-Massey algorithm. In particular, the interpolation in Dl of 
Algorithm D corresponds to the syndrome computation. Therefore the decoding al- 
gorithm of alternant codes that we described in this paper is nothing but a disguise 
of the classical decoding algorithm based on the Berlekamp-Massey algorithm, or 
vice versa. However, historically the classical decoding algorithm was first invented 
for BCH codes, and later found to work for general alternant codes. I believe that 
this historical accident has obscured the underlying principle of the decoding al- 
gorithm. Now Sudan's insight permits us to perceive that the classical decoding 
algorithm of alternant codes is in principle based on the properties of Reed-Solomon 
codes, but also works for BCH codes by accident. 
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